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AUarney Docket RSW92m00JlUSl 
IN THE UNITED STATES PATENT & TRADEMARK OFFICE 

February 14,2007 

In re a(>plication of David A. Bruton, et al- 

SeriaTNo.: 10/058,689 Filed: Jaauaiy 28, 2002 

Fon Intrusion Evrait Filtering and Generic Attack Signatures 

Art Unit: 2137 Exanrinor: Zachary A- Davis 

RESPONSE TO NOTICE TO FILE CORRECTED APPLICATION PAPERS 

Mail Stop bsue Fee sent by fax to 571-270-9803 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Attn: Mr. Dale G. Olson, Office of Patent Publicatiwi 
Sir. 

This Response is in reply to the Notice to File Corrected Application Pvpers (hereinafter, 
*the Notice") dated February 7, 2007, a copy of which is submitted herewith. The following 
remarks are respectfully submitted. 

The Notice states that a line is crossed out in FIG. 18. T>ig is intentional. The crossed- 
out line (i.e., a line 1870 with an "X" placed th«tn4x>n) is discussed on p. 48 of Applicants' 
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specification, lines 1 - 2. which state "The '^X" on the arrow extending fix)m ptobe 1870 to tule 
1810 is intended to illustrate that the rule is not ^plicable for this ptobe." 

Accordingly, Applicants respectfully submit that FIG. 18 is correct ^ currently 
presented, and request that the Notice be wthdrawn. 



Cust. Nbr. for Correspondence: 43168 
Phone: 407-343-7586 
Fax: 407-343-7587 

Attached: Notice to File Conwted Application Papers, including 
Identification of Drawing Deficiencies (2 pages total) 



Respectfully submitted. 




Marcia L* Doubet 
Attorney for Applicants 
Reg. No. 40,999 
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UNITBD STATES PATENT AND TRADBMARK OFFICE 



C oi iw dm onarfof P^Mb 
gwM SWrt P«»i* wrf TM^wrij^^ 

P,0. PP* 

Serial No. : 1(W©58,689 
Applicant : Brutoneial. 
Filing Date : 1/28/02 
Dote Mailed : 2/7A)7 



NOTICE TO FILE CORRECTED APPLICATION PAPERS 

Netlce tfAUmtaice Mailed 

This wHcation has been acwrted an Alkwaa^ 
qipUcadon, however, is inoomplete fiar the itaaons bdow. 

Applicant is given 60 days from the tnail date of this Notice within whidi to 
XnaOitiea todicated betow. If the inRmnality pertains to the abstiact. specificaticm (mdading 
clainia) or drawings, the infonnalityinurt be conected with a^ 

CFR 1 .121 (or, if the application is a idssue application, 37 CFR 1.173). Such an amendment 
may be filed after payment of the issue fi* if limited to ooiltotiOT of '"S™"?^'?,!^ 
See Waivw of 37 0^1312 l)w DnramoitsR^^ 

^Ga38.fttteotO£Bce9W(March23,2004). faadditioitiftheinfomialjtyisDOlcowectodoitol 
X WmSrf Ae iwi fea, for pon«« of 35 II.S.C. 154(bXlXiv). "^I 
rcStSS win be consideied to have been aatiafied when ^ 

AfiBh«eto«plywilliesdtintiieap|»li«a«i^ mis pmod for wp^y la 

NOr evteadaMe aider 37 CFR 143ti(B>. 



See »MBdmteBt. 

•WaB Stop bnie FeefComudssionerJor Patents, 
P.O. Box 1450, Alamdnit, VA 22313-1450", 




Office of Patent Publication 
Phone: 703-308-9250 extl22 
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iDENTIflCATICJN OFDRAWING DEFICIENCIES 

□ Th«eUaholcortheiii«gpih«wfwi*ffltheini)^^ 

□ Tiwflh«ctwoftlielii»tt.n«imbmaiidto^ • 

of the dawine. wch as a daik line caused liy a i«w m 

fH3l«) 

O AnmkstoniporaniinagBObswmapMlofflwrt ■ — — 

Tl« dmwtag is in«n«l by black oWitemtlons. or to/copier 



□ 

FIG(8). 



O FigwranribcisaredupIkatedorniMsrillg. FK3(b)'_ — 

D The dn«Hng'8bacl«iu«nd»hows that tte 

IwptrwWi a pattern or deeon«ion.FlG(5) ^ 

□ T*en0.n»nil^Iabdtopl«;edSnalc«tiantl»t««s«*l«d^^ 
^«^«^ 

□ Data.a»efcro»ei«iiiiber,orpaitoftte 

1.8l(uXl). FIO(s)__ 

□ ThBd»wi«gaiKVor1hemiabd»»iitaii<s)fiwe^ 

0 Col<^dra^ng.a«p«enti»tl«applicatianb«ttf»ft*^ 
notboeamet*: 

□ Fttition fil«d 

□ Petition fee 

□ i sets of cdor drawing? 
O Colcwr drawing paragraph 

Mf color drawing, an: not elected, .hen applicar,t m|P^o .tatlng. Also. rcf«onccs to 
(»kir dnwring* in the sp«dficalknv if any, mast be amra^ 

COMMENTS: 
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The '^'^ on Jdie arrow extending fix}in probe 1870 to rule 1810 is intended to illustrate that the 
rule is not apjdicable for this probe. 

The final correlation shown in Fig, 18 is between probe 1880 and rule 1820. Probe 1880 
presumably sets the ConditionType parameter to "^attack*" and the AttackType paramet^ to 
^l&agmenf \ and determines that the current event is of medium suspicion. Because the condition 
part of rule 1820 is matched in this example and the rule specifies that it applies for die medium 
sensitivity level, and table 1 500 indicates that the event therefore counts, an arrow is shown 
extending fiom probe 1 880 to rule 1820. 

By specifying sensitivity levels in each rule, as shown in Fig. 1 8, a fine-grained approadb 
to filtmng events can be achieved. (Alternatively, a system-wide sensitivity level might be used to 
provide a coarse-grained filtering; in this case, individual sensitivity levels are not required.) 

As illustrated at 1 890 in Fig. 1 8, the sensitivity/suspicion level technique can be applied in 
an implementation that maps the prior art detailed, attack-specific signatures bom a signature file 
to the IDS policy (i.e. the rules in policy repository 1800) vMch is described herein. (This 
q>proach is beneficial in a network-based IDS solution.) As shown at 1891, a packet having all 
code bits set may be considered a malformed packet attack which has a high suspicion level (as 
mdicated by the syntax elements '*<malformed>'' and ''<HS>''). The signature at 1 892, applying 
to packets having the S YN or FIN bits set along with a source port niraiber of "0", is also 
considered a malformed packet attack which has a high suspicion level. Signatures 1893 and 1894 
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